Migrated Tomcat Vault to be compatible with JDK18+ and Tomcat 10 by removing deprecated classes (SecurityManager, AccessController)

INSTALL.md

@@ -28,6 +28,13 @@ Building and Configuring Your Vault:
     $ mvn package
     ~~~
 
+By default, the Tomcat major version this tool builds against is Tomcat 9 (exact version is specified in the `pom.xml` file). If you wish to build with a different exact version, please update the file accordingly and then add the appropriate `-Pprofile-name` command line argument to the command if you are targeting a different Tomcat major version. For example, if you wish to build for Tomcat 10, you would run:
+
+    ~~~
+    $ mvn package -Ptomcat-10
+    ~~~
+
+
 3. Copy the generated tomcat-vault JAR to `$CATALINA_BASE/lib/`:
 
     ~~~

pom.xml

@@ -10,11 +10,39 @@
     <name>Vault extension for Apache Tomcat</name>
 
     <properties>
-        <tomcat.version>9.0.76</tomcat.version>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.surefire.plugin.version>3.5.3</maven.surefire.plugin.version>
     </properties>
 
+    <profiles>
+        <profile>
+            <id>tomcat-85</id>
+            <properties>
+                <tomcat.version>8.5.100</tomcat.version>
+                <maven.compiler.source>1.8</maven.compiler.source>
+                <maven.compiler.target>1.8</maven.compiler.target>
+            </properties>
+        </profile>
+        <profile>
+            <id>tomcat-9</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <tomcat.version>9.0.105</tomcat.version>
+                <maven.compiler.source>1.8</maven.compiler.source>
+                <maven.compiler.target>1.8</maven.compiler.target>
+            </properties>
+        </profile>
+        <profile>
+            <id>tomcat-10</id>
+            <properties>
+                <tomcat.version>10.1.41</tomcat.version>
+                <maven.compiler.source>21</maven.compiler.source>
+                <maven.compiler.target>21</maven.compiler.target>
+            </properties>
+        </profile>
+    </profiles>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.tomcat</groupId>
@@ -68,7 +96,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M5</version>
+                <version>${maven.surefire.plugin.version}</version>
                 <configuration>
                     <useModulePath>false</useModulePath>
                 </configuration>

src/main/java/org/apache/tomcat/vault/security/ExternalPasswordCache.java

@@ -1,24 +1,24 @@
 /*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
 
 package org.apache.tomcat.vault.security;
 
@@ -60,10 +60,6 @@ private ExternalPasswordCache() {
     }
 
     public static ExternalPasswordCache getExternalPasswordCacheInstance() {
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new RuntimePermission(ExternalPasswordCache.class.getName() + ".getExternalPasswordCacheInstance"));
-        }
         return PASSWORD_CACHE;
     }
 
@@ -131,13 +127,9 @@ public void reset() {
         log.trace(sm.getString("externalPasswordCache.resettingCache"));
         cache.clear();
     }
-
-
 }
 
 class PasswordRecord {
-
     long timeOut;
     char[] password;
-
-}
+}

src/main/java/org/apache/tomcat/vault/security/Util.java

@@ -29,9 +29,6 @@
 import java.io.BufferedReader;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 import java.security.Provider;
 import java.security.Security;
 import java.util.StringTokenizer;
@@ -71,12 +68,7 @@ public class Util {
      * @return the password characters
      * @throws Exception
      */
-    public static char[] loadPassword(String passwordCmd)
-            throws Exception {
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new RuntimePermission(Util.class.getName() + ".loadPassword"));
-        }
+    public static char[] loadPassword(String passwordCmd) throws Exception {
         char[] password = null;
         String passwordCmdType = null;
 
@@ -150,14 +142,7 @@ private static char[] execPasswordCmd(String passwordCmd)
     }
 
     private static String execCmd(String cmd) throws Exception {
-        SecurityManager sm = System.getSecurityManager();
-        String line;
-        if (sm != null) {
-            line = RuntimeActions.PRIVILEGED.execCmd(cmd);
-        } else {
-            line = RuntimeActions.NON_PRIVILEGED.execCmd(cmd);
-        }
-        return line;
+        return RuntimeActions.execCmd(cmd);
     }
 
     /**
@@ -170,108 +155,65 @@ private static String execCmd(String cmd) throws Exception {
      */
     private static char[] execPBBasedPasswordCommand(String passwordCmd) throws Exception {
         log.trace(strm.getString("util.beginExecPasswordCmd", passwordCmd));
-        SecurityManager sm = System.getSecurityManager();
-        String password;
-        if (sm != null) {
-            password = RuntimeActions.PB_BASED_PRIVILEGED.execCmd(passwordCmd);
-        } else {
-            password = RuntimeActions.PB_BASED_NON_PRIVILEGED.execCmd(passwordCmd);
-        }
+        String password = RuntimeActions.execPBBasedCmd(passwordCmd);
         return password.toCharArray();
     }
 
+    /**
+     * Simplified RuntimeActions - removed privileged variants
+     */
+    static class RuntimeActions {
 
-    interface RuntimeActions {
-        RuntimeActions PRIVILEGED = new RuntimeActions() {
-            public String execCmd(final String cmd)
-                    throws Exception {
-                try {
-                    String line = AccessController.doPrivileged(
-                            new PrivilegedExceptionAction<String>() {
-                                public String run() throws Exception {
-                                    return NON_PRIVILEGED.execCmd(cmd);
-                                }
-                            }
-                    );
-                    return line;
-                } catch (PrivilegedActionException e) {
-                    throw e.getException();
-                }
+        public static String execCmd(final String cmd) throws Exception {
+            Runtime rt = Runtime.getRuntime();
+            Process p = rt.exec(cmd);
+            InputStream stdin = null;
+            String line;
+            BufferedReader reader = null;
+            try {
+                stdin = p.getInputStream();
+                reader = new BufferedReader(new InputStreamReader(stdin));
+                line = reader.readLine();
+            } finally {
+                if (reader != null)
+                    reader.close();
+                if (stdin != null)
+                    stdin.close();
             }
-        };
-        RuntimeActions NON_PRIVILEGED = new RuntimeActions() {
-            public String execCmd(final String cmd)
-                    throws Exception {
-                Runtime rt = Runtime.getRuntime();
-                Process p = rt.exec(cmd);
-                InputStream stdin = null;
-                String line;
-                BufferedReader reader = null;
-                try {
-                    stdin = p.getInputStream();
-                    reader = new BufferedReader(new InputStreamReader(stdin));
-                    line = reader.readLine();
-                } finally {
-                    if (reader != null)
-                        reader.close();
-                    if (stdin != null)
-                        stdin.close();
-                }
 
-                int exitCode = p.waitFor();
-                log.trace(strm.getString("util.endExecPasswordCmd", exitCode));
-                return line;
-            }
-        };
-        RuntimeActions PB_BASED_PRIVILEGED = new RuntimeActions() {
-            public String execCmd(final String command)
-                    throws Exception {
-                try {
-                    String password = AccessController.doPrivileged(
-                            new PrivilegedExceptionAction<String>() {
-                                public String run() throws Exception {
-                                    return PB_BASED_NON_PRIVILEGED.execCmd(command);
-                                }
-                            }
-                    );
-                    return password;
-                } catch (PrivilegedActionException e) {
-                    throw e.getException();
-                }
-            }
-        };
-        RuntimeActions PB_BASED_NON_PRIVILEGED = new RuntimeActions() {
-            public String execCmd(final String command) throws Exception {
-                final String[] parsedCommand = parseCommand(command);
-                final ProcessBuilder builder = new ProcessBuilder(parsedCommand);
-                final Process process = builder.start();
-                final String line;
-                BufferedReader reader = null;
-                try {
-                    reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
-                    line = reader.readLine();
-                } finally {
-                    if (reader != null)
-                        reader.close();
-                }
+            int exitCode = p.waitFor();
+            log.trace(strm.getString("util.endExecPasswordCmd", exitCode));
+            return line;
+        }
 
-                int exitCode = process.waitFor();
-                log.trace(strm.getString("util.endExecPasswordCmd", exitCode));
-                return line;
+        public static String execPBBasedCmd(final String command) throws Exception {
+            final String[] parsedCommand = parseCommand(command);
+            final ProcessBuilder builder = new ProcessBuilder(parsedCommand);
+            final Process process = builder.start();
+            final String line;
+            BufferedReader reader = null;
+            try {
+                reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
+                line = reader.readLine();
+            } finally {
+                if (reader != null)
+                    reader.close();
             }
 
-            protected String[] parseCommand(String command) {
-                // comma can be backslashed
-                final String[] parsedCommand = command.split("(?<!\\\\),");
-                for (int k = 0; k < parsedCommand.length; k++) {
-                    if (parsedCommand[k].indexOf('\\') != -1)
-                        parsedCommand[k] = parsedCommand[k].replaceAll("\\\\,", ",");
-                }
-                return parsedCommand;
-            }
-        };
+            int exitCode = process.waitFor();
+            log.trace(strm.getString("util.endExecPasswordCmd", exitCode));
+            return line;
+        }
 
-        String execCmd(String cmd) throws Exception;
+        private static String[] parseCommand(String command) {
+            // comma can be backslashed
+            final String[] parsedCommand = command.split("(?<!\\\\),");
+            for (int k = 0; k < parsedCommand.length; k++) {
+                if (parsedCommand[k].indexOf('\\') != -1)
+                    parsedCommand[k] = parsedCommand[k].replaceAll("\\\\,", ",");
+            }
+            return parsedCommand;
+        }
     }
 
     /**
@@ -298,21 +240,18 @@ public static boolean isPasswordCommand(char[] passwordCmd) {
         return (passwordCmd != null) && isPasswordCommand(new String(passwordCmd));
     }
 
-   /**
+    /**
      * Check for FIPS (vault can't be used with FIPS).
      *
      * @return
      */
     public static boolean isFIPS() {
-
-        Provider[] providers=Security.getProviders();
-        for (int i=0; i < providers.length;i++) {
-             if (providers[i].getName().toLowerCase().contains("fips")) {
-                 return true;
-             }
+        Provider[] providers = Security.getProviders();
+        for (int i = 0; i < providers.length; i++) {
+            if (providers[i].getName().toLowerCase().contains("fips")) {
+                return true;
+            }
         }
-
         return false;
     }
-
-}
+}